Security and Trust Center

Rules of play

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on CrossEngage applications, servers, networks or infrastructure are strictly forbidden.

Tests that could cause degradation or interruption of our services are strictly forbidden.

Do not use automated scanners or tools that generate large amount of network traffic, or use them the gentle way (max 1 request per second).

Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.

Do not copy any files from our applications/servers and disclose them.

No vulnerability disclosure, full, partial or otherwise, is allowed.

It is strictly prohibited to spam any of our forms, e.g. on the page www.crossengage.io & crossengage.io

Services in Scope

The scope of our program is simple. Any tech property that belongs to our business is in scope. Anything that you can break into, we have to assume an attacker can break into.

Our platform and services run under the following DNS scopes: *.crossengage.io, *.xng.rocks

Reward Structure

Incoming vulnerability reports discussed and rated by our Security Board on a monthly basis. Our goal is to reward eligible reports in a reasonable way depending on the underlying risk potential. You may receive a small „sign of appreciation” of 50-100€ for minor issues and 500€ or more for severe issues affecting customer data or our technology infrastructure.

Qualifying Vulnerabilities

It is 2024 and we assume you know the common vulnerability types that an online business may be affected by. As long as the issue constitutes a tangible risk to our security posture, customer data or similar, it is likely going to qualify. Please understand this is a discretionary decision we make on a case-by-case basis for every incoming report.

Contact Us

You may report bugs by emailing [email protected]

If you’d like, you can encrypt using our GPG key.

Legal Aspects

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People’s Republic and Luhansk People’s Republic) on sanctions lists.

Participants of our program are responsible for any tax implications that are applicable.

Please understand that the decision as to whether or not to pay a reward is made entirely at CrossEngage’s discretion.

Bug Bounty Program

To enhance our platform and service security, we believe in investing into the security researcher community. As many online businesses, we therefore run a bug bounty – or otherwise known as – vulnerability reward program.